Announcement

Collapse
No announcement yet.

CiSCO 2600 and class-map/policy-map

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CiSCO 2600 and class-map/policy-map

    hello everyone

    here is my problem !!

    i have a bunch of users who stay 25h out of 25 on youtube and anything *video* related


    class-map match-any ONLINE_VIDEOS
    match protocol http host "www.youtube.com"
    match protocol http host "*hi5*"
    match protocol http host "*video*"
    !
    !
    policy-map DROP_ONLINE_VIDEOS
    class ONLINE_VIDEOS
    police 16000

    interface FastEthernet0/0
    description _WAN_INTERFACE_
    service-policy output DROP_ONLINE_VIDEOS


    and here is the troublemakers: 192.168.100.4,192.168.100.17,192.168.100.4,192.168 .100.11,192.168.100.23


    idea is to apply the plocy only to those ip's not globaly:

    i'm quite new to cisco world, it may be simple but i didn't figure out

  • #2
    Re: CiSCO 2600 and class-map/policy-map

    May want to check what other "video" related protocols nbar can match on. I believe you will miss a bunch with that class map.

    Also any reason to police it? Why not just flat out drop it. Also i would put the policy inbound on your lan facing interface unless you have internal servers hosting videos.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: CiSCO 2600 and class-map/policy-map

      well in fact cutting *video* may not be the best idea, as i'm cutting access to some video tutorials.

      pb is in fact some annoyng online movies websites : not netflix or something like:

      i;m hosting some devel servers behind the router, and i'm getting a lot of complaints about slow access to them...

      i starte the undersnad the concept of class/policy map;

      ..bust stilll don;t get it how to apply to an access list

      Comment


      • #4
        Re: CiSCO 2600 and class-map/policy-map

        If you want to match on an acl do this:


        ip access-list 100 permit tcp any any eq www


        class-map match-any NO_INTERNET
        match access-group NO_INTERNET

        policy-map NO_INTERNET
        class NO_INTERNET
        drop

        I think some people get confused with the permit in the ACL. We are permitting the ACL to be dropped.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: CiSCO 2600 and class-map/policy-map

          oki, so...

          class-map match-any ONLINE_MOVIES

          match protocol http host "www.moviesonline.ca"

          match protocol http host "www.bestmovies.cc"

          match access-group 190





          policy-map DROP_ONLINE_MOVIES
          class ONLINE_MOVIES
          drop


          access-list 190 permit tcp host 192.168.100.4 any eq www
          access-list 190 permit tcp host 192.168.100.17 any eq www


          interface FastEthernet0/0

          description _WAN_INTERFACE_

          service-policy output DROP_ONLINE_MOVIES





          however all class 192.168.100.0 /24 is banned !!


          Am I missing something ?

          Comment


          • #6
            Re: CiSCO 2600 and class-map/policy-map

            That access list was just an example. It blocks all web traffic from those hosts to any destination
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: CiSCO 2600 and class-map/policy-map

              Please post your full config as well.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment


              • #8
                Re: CiSCO 2600 and class-map/policy-map

                version 12.4
                service config
                no service pad
                service tcp-keepalives-in
                service tcp-keepalives-out
                service timestamps debug datetime msec
                service timestamps log datetime msec
                service password-encryption
                !
                hostname Core_R1
                !
                boot-start-marker
                boot system flash c2600-advipservicesk9-mz.124-25d.bin
                boot-end-marker
                !
                security authentication failure rate 4 log
                security passwords min-length 8
                logging console
                enable secret 5 $1$_SECRET.
                enable password 7 DONKY_}_KONG
                !
                aaa new-model
                !
                !
                aaa authentication login default local
                aaa authorization exec default local
                !
                aaa session-id common
                memory-size iomem 10
                clock timezone GMT 1
                no network-clock-participate slot 1
                no network-clock-participate wic 0
                ip cef
                !
                !
                !
                no ip bootp server
                ip domain name core1.cz
                ip name-server 10.11.0.254
                ip auth-proxy max-nodata-conns 3
                ip admission max-nodata-conns 3
                login block-for 300 attempts 3 within 30
                login on-failure log
                !
                !
                crypto pki trustpoint TP-self-signed-4191734879
                enrollment selfsigned
                subject-name cn=IOS-Self-Signed-Certificate-4191734879
                revocation-check none
                rsakeypair TP-self-signed-4191734879
                !
                !
                crypto pki certificate chain TP-self-signed-4191734879
                certificate self-signed 01
                XXX
                quit
                username xxx privilege 15 secret 5 $1$xxx.
                username zzz privilege 15 secret 5 $1$zzz
                !
                !
                ip ssh port 2828 rotary 1
                ip ssh version 2
                !
                class-map match-any URLS
                match protocol http host "www.moviesonline.ca"
                match protocol http host "www.bestmovies.cc"

                class-map match-any SOCIAL_NET
                match protocol http host "www.youtube.com"
                match protocol http host "*hi5*"
                match protocol http host "*facebook*"

                class-map match-all ONLINE_MOVIES
                match class-map URLS
                match access-group 190
                !
                !
                policy-map DROP_ONLINE_MOVIES
                class ONLINE_MOVIES
                drop

                policy-map DROP_SOCIAL_NET
                class SOCIAL_NET
                drop
                !
                !
                !
                interface Null0
                no ip unreachables
                !
                interface FastEthernet0/0
                description _WAN_INTERFACE_
                mac-address _MAC_
                ip address _IP_ _MASK_
                no ip redirects
                no ip unreachables
                no ip proxy-arp
                ip nat outside
                ip virtual-reassembly
                duplex auto
                speed auto
                no cdp enable
                service-policy output DROP_ONLINE_MOVIES
                !
                interface Serial0/0
                no ip address
                shutdown
                !
                interface FastEthernet0/1
                description _LAN_INTERFACE_
                ip address 192.168.40.21 255.255.255.0
                ip helper-address 192.168.40.220
                ip nat inside
                ip virtual-reassembly
                no ip mroute-cache
                speed auto
                full-duplex
                no mop enabled
                !
                ip forward-protocol nd
                ip forward-protocol udp 1194
                ip route 0.0.0.0 0.0.0.0 10.10.11.254
                !
                !
                ip http server
                ip http access-class 20
                ip http authentication local
                ip http secure-server
                ip nat pool p2p 192.168.40.10 192.168.40.10 netmask 255.255.255.0 type rotary
                ip nat pool WoW 192.168.40.20 192.168.40.20 netmask 255.255.255.0 type rotary
                ip nat inside source list 101 interface FastEthernet0/0 overload
                ip nat inside source static tcp 192.168.40.210 8081 interface FastEthernet0/0 8081
                ip nat inside source static udp 192.168.40.220 1194 interface FastEthernet0/0 1194
                ip nat inside source static udp 192.168.40.220 53 interface FastEthernet0/0 53
                ip nat inside source static tcp 192.168.40.220 53 interface FastEthernet0/0 53
                ip nat inside source static tcp 192.168.40.245 80 interface FastEthernet0/0 80
                ip nat inside source static tcp 192.168.40.244 143 interface FastEthernet0/0 143
                ip nat inside source static tcp 192.168.40.245 443 interface FastEthernet0/0 443
                ip nat inside source static tcp 192.168.40.245 587 interface FastEthernet0/0 587
                ip nat inside source static tcp 192.168.40.245 25 interface FastEthernet0/0 25
                ip nat inside destination list 102 pool p2p
                ip nat inside destination list 103 pool WoW
                !
                !
                access-list 20 permit 192.168.40.50
                access-list 20 permit 192.168.40.70
                access-list 20 permit 192.168.40.10
                access-list 20 deny any log

                access-list 30 permit 192.168.40.233
                access-list 30 deny any log

                access-list 101 permit ip 192.168.40.0 0.0.0.255 any

                access-list 102 permit tcp any any range 55000 60000

                access-list 103 permit tcp any any range 6112 6119
                access-list 103 permit tcp any any range 6881 6999

                access-list 190 permit tcp host 192.168.40.5 any eq www
                access-list 190 permit tcp host 192.168.40.203 any eq www

                snmp-server community _INT_COMM RO 30
                !
                !
                !
                !
                control-plane

                Comment


                • #9
                  Re: CiSCO 2600 and class-map/policy-map

                  R1#sh policy-map int fa0/0
                  FastEthernet0/0

                  Service-policy input: NO_INTERNET

                  Class-map: NO_INTERNET (match-any)
                  24 packets, 1440 bytes
                  5 minute offered rate 0 bps, drop rate 0 bps
                  Match: access-group 101
                  12 packets, 720 bytes
                  5 minute rate 0 bps
                  drop

                  Class-map: class-default (match-any)
                  176 packets, 13103 bytes
                  5 minute offered rate 0 bps, drop rate 0 bps
                  Match: any

                  Extended IP access list 101
                  10 permit tcp host 10.0.0.3 host 40.0.0.2 eq telnet (4 matches)
                  20 permit tcp host 10.0.0.3 host 40.0.0.2 eq www (8 matches)


                  This policy drops any telnet or web traffic source from 10.0.0.3 to 40.0.0.2. Anything not matched is permitted by the class-default class map. Make sure you see that "default" class-map. It wont show up in the running config but you will see it when you run

                  show policy-map interface "wan interface"
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment


                  • #10
                    Re: CiSCO 2600 and class-map/policy-map

                    class-map match-any URLS
                    match protocol http host "www.moviesonline.ca"
                    match protocol http host "www.bestmovies.cc"

                    class-map match-all ONLINE_MOVIES
                    match class-map URLS
                    match access-group 190

                    policy-map DROP_ONLINE_MOVIES
                    class ONLINE_MOVIES
                    drop

                    access-list 190 permit tcp host 192.168.100.4 any
                    access-list 190 permit tcp host 192.168.100.17 any


                    interface FastEthernet0/1

                    description _LAN_INTERFACE_
                    service-policy input DROP_ONLINE_MOVIES

                    !!! Damn, it's WORKING !!!
                    Last edited by fritz001; 28th February 2012, 15:28.

                    Comment


                    • #11
                      Re: CiSCO 2600 and class-map/policy-map

                      So you moved the policy to the Lan interface? Thats the way I would do it. I think the issues with it on the WAN side is that since your are natting there may have been an order of operations issue. (IE It was natting before hitting the policy)
                      CCNA, CCNA-Security, CCNP
                      CCIE Security (In Progress)

                      Comment


                      • #12
                        Re: CiSCO 2600 and class-map/policy-map

                        yes... at least now I have a better understanding how NAT is working on CisCO devices....

                        Comment

                        Working...
                        X